Doing Our Part – Without Hacking Back

In his new book, "The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age," author David E. Sanger chronicles numerous examples of the impact of cyber activities on geopolitical conditions. One such example involves the scale and scope of the Chinese Army's economic and industrial espionage targeting organizations for commercial gain, which was uncovered by Mandiant after a multi-year investigation and disclosed in our APT1 report, published in February 2013.

In our APT1 report, we provided attribution for cyber espionage conducted by the Chinese PLA Unit 61398. As part of the APT1 report's initial release, we coordinated with Mr. Sanger, giving him access to the methods we used to gather evidence of the attribution of APT1 to PLA unit 61398. Mr. Sanger's reporting on APT1 played a critical role in exposing the world to the cyber threat that private organizations were facing from Chinese nation-state backed attackers, and "The Perfect Weapon" continues to help drive a productive dialogue on the real-world implications of a changing threat landscape.

Mr. Sanger's description of how Mandiant obtained some of the evidence underlying APT1 has resulted in a serious mischaracterization of our investigative efforts. Specifically, Mr. Sanger suggests our "…investigators reached back through the network to activate the cameras on the hackers' own laptops." We did not do this, nor have we ever done this. To state this unequivocally, Mandiant did not employ "hack back" techniques as part of our investigation of APT1, does not "hack back" in our incident response practice, and does not endorse the practice of "hacking back."

The conclusion that we hacked back, while incorrect, is understandable. Included in the evidence we reviewed with Mr. Sanger at the time were videos of APT1 operators interacting with malware command and control servers (a.k.a. "hop points"), including the operators' "personal" web browsing (e.g. checking social media...etc.) on those systems. More information on APT1 "hop points" is available in the "Infrastructure" section starting on page 39 of the original APT1 report and demonstrated in this video, released at the same time as the report:

To someone observing this video "over the shoulder" of one of our investigators, it could appear as live system monitoring. Nevertheless, Mandiant did not create these videos through "hacking back" or any hacking activity. All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised.

As a standard practice, in an effort to protect companies from unauthorized intrusions, we implement consensual network monitoring agreements with many victim organizations for the purposes of helping better secure those organizations. The videos Mr. Sanger viewed were from Windows Remote Desktop Protocol (RDP) network packet captures (PCAP) of Internet traffic at these victim organizations. Mandiant has never turned on the webcam of an attacker or victim system.  

In short, we do not fight hackers by hacking, but by diligently and legally pursuing attribution with a rigor and discipline that the cause requires. The anonymity of the Internet is routinely used to mask the identities of perpetrators who violate our privacy and our laws, and it is our goal to relentlessly protect our customers and make the Internet a fair and safe place to operate. APT1 was the result of Mandiant doing our part to expose risks and share information to help organizations better protect themselves, and we will continue to do our part – without hacking back.